fugacious / fugacious Goto Github PK

• Disable “create temporary link” button until message is entered . This way we can remove the invalid fields error message
• Set hours default to 20 without the .0
• Make the “delete it now” link work, it doesn’t do anything currently

For power users, I'm thinking something like

$ echo $SOMETHING | curl -d @- https://fugacio.us/
https://fugacio.us/m/...

In the case of fugacious, URLs should be treated as sensitive since knowing the URL would allow someone to access the secret stored (assuming it was accessed within the TTL of the secret).

If running fugacious behind an http server like apache or nginx, often these have a default configuration to log all requests, including URLs, to file or stdout. Most PaaS, like Heroku or Cloud Foundry are configured this way, too. Operators of fugacious should take this into consideration when setting up their app, otherwise, they will potentially be disclosing sensitive information to their hosting providers.

We can include a note about how to avoid this disclosure of sensitive information and maybe even include suggested apache or nginx configuration files as examples.

When I share a link in Slack, the number of views is incremented when the link expanding bot views my message unexpectedly.

As far as I can tell, the whenever gem writes to the crontab and doesn't directly schedule work itself. That means it's not going to work with paas environments like cloud foundry or heroku, which don't expose cron to tenant apps. We should use a paas-friendly scheduler instead--i.e., a scheduler that doesn't depend on cron. Since we're already using sidekiq, an extension like sidekiq-cron might make sense.

But while we're talking about this, I wonder if we can also improve on the way we're expiring messages. The current daily cron task schedules one sidekiq job for each message in the database, whether it's expired or not. Then, for each sidekiq job, we load the message record again, check whether it's expired, and delete if so. Why load each record twice? It seems like we should be able to express this job in a single query, like delete from messages where created_at + hours > now(). This isn't quite correctly, but you get the idea.

Options:

• Use sidekiq-cron to replicate the functionality of whenever
• Use sidekiq-cron to delete all expired messages in a single query

For example, it would be great to be able to distinguish between a capital letter O and a zero

Just a thought. You could encrypt messages inside the database, each with its own random key. The encryption key could become part of the URL; the server would throw it out. This would secure people's messages against someone hacking into the database and downloading it (hello Patreon!). Although the combination of the database and the web server logs could still be used to decrypt things (since the key is in the url), so the logs would need to be deleted or anonymized promptly to get full protection out of this.

Creation of a message:

• Generate 64 random chars, not 32.
• First 32 chars become the database primary key, as now.
• Second 32 chars are used to encrypt the message
• The url is https://server/m/(64 chars)

Accessing a message:

• Split the incoming "key" in half, use the first half to look up the db row. Use the second half to decrypt it.

What if someone modifies part of the encryption key? Then the web page would display gibberish?

• You could add a column to the db that's e.g. SHA512(real encryption key) and make sure the incoming one matches. If it doesn't match, return HTTP 404.

and perhaps limit it to 10-15 lines max.

Waldo Jaquith (CHO) [10:00 AM]
[redacted] has sent me a [redacted] license URL via Fugacious. There’s some odd character encoding going on, and hyphens (presumably) in the URL are turning into a sequence of a half-dozen Unicode characters, including 2 unprintable ones. The upshot is that I cannot download the license file to use [redacted]

Travis is enabled for jgrevich/fugacious and not fugacious/fugacious. Please enable.

When sharing a secret which expires far away in the future, the email subject reads:

You have around 499.9996890578189 hours to view it.

Update this value to use the same time_away_in_words being used when displaying a message:

Include more opengraph metadata
Submit to Google webmaster tools, bing, etc

Choose an analytics provider to track progress

Let's say I'm trying to tell someone their password is "insecure"?:<>-*&^. Right now, there's no intuitive way to delimit the password, and they'd see something like:

Your password is "insecure"?:<>-*&^ and you should change it soon.

I think the easiest delimiter would be blank lines, so that the message could be:

Your password is:

"insecure"?:<>-*&^

and you should change it soon.

Explicit support for ways to mark elements as code would fix this too, but I assume they'd be harder.

As a user of fugacious, I want to know that the deployed version is up to date (and it sounds like it isn't right now). Fugacious should be deployed automatically--e.g., on each tagged commit to master.

Provide methods for the user to verify the identity of the recipient. This could be KBA, email, or social login. This will help prevent scrapers (perhaps an email monitor appliance that follows links, slack used to follow links) from viewing the content.

Currently, messages will remain in the database beyond their expiration if an attempted view is not made after expiry. Create a scheduled task or some other sort of service to ensure that stale data does not remain in the database beyond its prescribed lifespan.

Use a library to parse the expiry time so that it is easier to specify when the message expires

• 20 hours
• two days
• 4 weeks
• one day
• tomorrow at noon

from https://www.owasp.org/index.php?title=Transport_Layer_Protection_Cheat_Sheet

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

If max retention hours is 2, the default retention hours in the create form leads to an invalid submission. The default value in the form should be <= the max value.

we should list similar projects to fugacious in our readme or somewhere in our repo: https://github.com/gophergala2016/sendto and https://github.com/micahflee/onionshare

GitHub
gophergala2016/sendto
sendto - 🔒 Sendto lets people send you encrypted files and folders without fussing with keys

GitHub
micahflee/onionshare
onionshare - Securely and anonymously share a file of any size

Upgrade rails

Security issue from Hakiri: There is a possible remote code execution vulnerability in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2016-2098.Applications that pass unverified user input to the render method in a controller or a view may be vulnerable to a code injection.Impacted code will look like this:rubyclass TestController < ApplicationController def show render params[:id] endendAn attacker could use the request parameters to coerce the above example to execute arbitrary ruby code.

"Please feel free to check out the source code at github. We welcome any imporvements or bug fixes that you can offer."

create a simple CLI script to access the fugacious API

$fug -m 'this is only a test' => https://fugacio.us/m/G2mGz8ysLnJjur5yRgL66Qj8oUCTZg8z

18F's #products-platforms would like to make our work more public. In order to share our progress with the rest of 18F/TTS we will schedule a bi-weekly sprint review/retrospective and invite all of 18F to the review via post in #general-talk

Deliverables

• Schedule bi-weekly meeting for review/retrospective

• Drop a reminder in #general-talk on the day of the meeting to invite any interested parties

• Add Britta to the invite

• Add Karen to the invite

• The restore option would be inside the message deleted alert and would expire when the user closes the window
• Change alert to message restored after message was restored

When you are viewing a message which has already been destroyed, there is conflicting messaging as to the state of your message. The red box alert is clear that the secret is no longer available, but the second message suggests that it may still exist until the time expires.

The destroy link is also not available in the message, so it can likely be omitted completely.

For your own security, please this message once it is no longer needed.

It looks like Coveralls allows a decrease threshold to be stated:

• Only show temporary message alert when viewing the message after creation (for those receiving the message).
• Only show message created alert to the user who created the message upon creation.
• Deleted message - Update style of message deleted alert and the text for when a message is deleted
• Deleted message - Don’t show the secret message
• Only show created alerts on view number zero

A user should be able to hide the alert boxes using keyboard commands (ESC or X).

https://hakiri.io/github/jgrevich/fugacious/dev

• Please enable Hakiri for new org.
• Update badge in readme

Currently, the message expiration task loads all messages into memory and issues a separate delete for each expired message. We should use a single delete query instead--something like

delete from messages where created_at + interval '1 hour' * hours > now()

That query won't work for all sql flavors. One option here would be to restrict to postgres. If that's a problem, then we could store the expiration time in the messages table instead of the duration to get a portable query like

delete from messages where expires_at > now()

WDYT?

@jgrevich : There's a very high limit to the # of hours you can set to a message.

Example:

You eventually increase the value to something around the scale of 10000000000000 to throw an error. But that aside, the value should be much lower, for two reasons.

1) Resource Exhaustion: an adversary could create scripting to fill up storage over a period of time, and since the data won't be deleted per the excessive time frame, resource exhaustion beyond capacity planning is possible.

2) Allows for violation of policy / intent: Users may fat finger a value much higher than attended. Example, 722 hours instead of 72 hours.

We'd like a hotfix on this as soon as is reasonable on the fugacious.18f.gov instance at minimum, as it will be a blocker to ATOs on systems that mention fugacious in their SSPs - ie, all of them. 😁

Thank you!

Add ability to track current Fugacious use:

1. How many unique visitors do we get?
2. How many messages are sent/ day currently?
3. What agencies use them?

Add an Instructions section to the readme to help users provision fugacious with Chef.

travis, hakiri, coveralls

Please enable coveralls.io for fugacious/fugacious

Fix any deprecation warnings. See:

• https://travis-ci.org/fugacious/fugacious

The self-destruct message says "and" but should be "or"

Users may want to leave a message that can only be opened after a specified 'open after' date. Here are a couple of examples.

—Constructing a test or similar transaction where the answer should only be revealed after a period of time.

—"Voting" type applications where everyone wants to submit their preference or opinion before any answers are revealed.

The UI side would be very easy, simply adding a time input field with the pre-filled default set to now.

In order to improve relations with fellow devs; we need to include simple instructions to get from git checkout to rails s. This encourages outside contributions and eases the level of effort to dig in to our codebase.

• https://github.com/fugacious/fugacious#getting-started

Hakiri reports several security issues related to Rails 4.2.0. Updating Rails would avoid such issues.

Add the following to installation instructions:

===

Add to your local Gemfile.

source 'https://rubygems.org'
+git_source(:github) { |repo_name| "https://github.com/#{repo_name}.git" }
ruby '2.3.3'

This sources github repos via https and will remove https warnings

===

Xcode

i18n support for headers, buttons, and basic copy.

Include the following:

• history of fugacious
• why fugacious has its own org
• how 18F manages control over fugacious.18f.gov
• link to SSP/ATO controls documentation

Security issue from Hakiri: REST client for Ruby (aka rest-client) before 1.7.3 logs usernames and passwords, which allows local users to obtain sensitive information by reading the log.

upgrade rest-client

This would enable access to the secret only when the sender literally has the tab open in fugacious where they entered it.

The data would never be stored in fugacious' database, and it would never be transmitted through fugacious' servers. Instead, fugacious' JavaScript would be responsible for establishing the peer-to-peer connection and transferring the data directly from the sender to the receiver.

This is a non-trivial feature addition, but I wanted to get it down while I was thinking about it. Because it eliminates the need for a database (at the cost of forcing transfers to be mostly synchronous/coordinated) it might even be a better fit for another tinier app entirely. But if this project is interested in it, it'd be a fun, useful feature.

When trying to run the app locally, I get this error:

Unexpected error while processing request: Default policy not yet supplied
	/Users/jessieayoung/.rbenv/versions/2.3.1/lib/ruby/gems/2.3.0/gems/secure_headers-3.6.1/lib/secure_headers/configuration.rb:44:in `get'
	/Users/jessieayoung/.rbenv/versions/2.3.1/lib/ruby/gems/2.3.0/gems/secure_headers-3.6.1/lib/secure_headers.rb:227:in `config_for'
	/Users/jessieayoung/.rbenv/versions/2.3.1/lib/ruby/gems/2.3.0/gems/secure_headers-3.6.1/lib/secure_headers/middleware.rb:14:in `call'

I assume there is a config somewhere not in git for this? Can we add something to go to make it work?

I'm seeing the string For your own security, please this message once it is no longer needed. and I assume that there's supposed to be a word, possibly “delete”, between “this” and “message”.